Docs/add security policy

CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| Latest release | Yes |
+| Older releases | No |
+
+Security fixes are provided on a best-effort basis for the latest release only.
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in ExStruct, please report it by email to `[email protected]`.
+
+For vulnerabilities or other sensitive security problems that are not already public, please do not open a public GitHub issue first. Email is the preferred initial reporting channel.
+
+If the issue is already public or is not sensitive, GitHub Issues can still be used for general discussion after the initial report or for non-security bugs.
+
+Please include as much of the following as you can:
+
+- affected ExStruct version
+- platform and environment details
+- reproduction steps or a proof of concept
+- expected impact
+- any suggested mitigation or fix ideas
+
+## What to Expect
+
+ExStruct is maintained as a personal project, so security triage and fixes are handled on a best-effort basis.
+
+There is no official SLA or guaranteed response time, but I will try to acknowledge reports and assess severity when possible.
+
+Please avoid public disclosure until the issue has been reviewed and a mitigation or fix path is clear.
+
+## Non-Security Issues
+
+For general bugs, usage questions, and non-sensitive discussion, please use GitHub Issues.

tasks/feature_spec.md

@@ -168,3 +168,43 @@
 
 - `recommended`
 - rationale: the change turns AI-agent operational workflow into a durable repository rule and resolves recurring tradeoffs around single-skill packaging, repo source of truth, and the CLI-versus-MCP boundary.
+
+## 2026-04-16 SECURITY.md policy
+
+### Goal
+
+- Add a root-level `SECURITY.md` that GitHub can recognize as the repository security policy.
+- Direct security reports to `[email protected]` and keep sensitive disclosures out of public issue threads when they are not already public.
+- Keep the change documentation-only with no code, package, CLI, MCP, or MkDocs navigation impact.
+
+### Public contract summary
+
+- The repository gains one new public policy document: `SECURITY.md`.
+- Supported versions are defined as the latest release only.
+- Security vulnerabilities should be reported by email first.
+- Public GitHub issues remain appropriate for non-security problems and already-public, non-sensitive discussion.
+
+### Permanent destinations
+
+- `SECURITY.md`
+  - Canonical public security policy document for responsible disclosure and supported-version guidance.
+- `tasks/feature_spec.md` and `tasks/todo.md`
+  - Retain only this compact implementation record and verification evidence for the session.
+
+### Constraints
+
+- `SECURITY.md` is English-only for this change.
+- `README.md`, `README.ja.md`, `docs/`, and `mkdocs.yml` remain unchanged.
+- The supported-version policy must avoid hard-coding a specific release number and instead describe support as "latest release".
+
+### Verification
+
+- `rg -n "Security Policy|[email protected]|Latest release|GitHub Issues" SECURITY.md`
+- `git diff --check -- SECURITY.md tasks/feature_spec.md tasks/todo.md`
+- `uv run task precommit-run`
+- `uv run pytest -q`
+
+### ADR verdict
+
+- `not-needed`
+- rationale: this adds a single public repository policy document without changing architecture, public API design, or long-lived internal tradeoff policy.

tasks/todo.md

@@ -83,3 +83,25 @@
   - `rg -n "^## |Tests:|Code:|Related specs:" dev-docs/adr/ADR-0009-single-cli-skill-for-agent-workflows.md`
   - `uv run task precommit-run`
   - `git diff --check`
+
+## 2026-04-16 SECURITY.md policy
+
+### Planning
+
+- [x] Confirm whether `SECURITY.md` already exists and review the current public-document tone in `README.md` and `CONTRIBUTING.md`.
+- [x] Define the minimal public policy: latest-release-only support and email-first disclosure to `[email protected]`.
+- [x] Add a root-level `SECURITY.md` with supported versions, reporting instructions, and expectations for response/disclosure.
+- [x] Record the durable destination and ADR verdict in `tasks/feature_spec.md`.
+- [x] Run the planned verification commands and record the results.
+
+### Review
+
+- Added the root-level `SECURITY.md` as the durable public security policy document with latest-release-only support guidance and email-first reporting to `[email protected]`.
+- Kept the change documentation-only; `README.md`, `README.ja.md`, `docs/`, `mkdocs.yml`, code, and public runtime interfaces were unchanged.
+- `tasks/feature_spec.md` now records the compact spec, permanent destination, verification commands, and `not-needed` ADR verdict for this session.
+- Verification:
+  - `rg -n "Security Policy|[email protected]|Latest release|GitHub Issues" SECURITY.md`
+  - `git diff --check -- SECURITY.md tasks/feature_spec.md tasks/todo.md`
+  - `uv run task precommit-run`
+  - `uv run pytest -q`
+  - Result summary: `pre-commit` passed (`ruff`, `ruff-format`, `mypy`), and `pytest` completed with `913 passed, 4 skipped`.